Through an operation called Turbine, the NSA crafted an automated system designed to hack "millions" of computers, new documents from Edward Snowden's leaks on government surveillance reveal.
According to documents published by The Intercept on Wedesday, Turbine created "implants" that let it gain access to peoples' computers. Getting the implants onto machines involved an array of deceptions: fake Facebook Web pages, spam emails with malicious links, and man-in-the-middle attacks that would "shoot" bogus data at a target's computer when the NSA detected it was visiting a Web site the NSA could spoof.
Once the National Security Agency implants were installed, they could be used to gain access to data before it was encrypted. As the article describes some of the work:
An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer's microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer's webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.
Though the system was designed to work at large scale, through automated attack mechanisms that don't require human intervention, it's not clear exactly how broadly it actually was used. However, it appears the NSA was interested in more people than just the direct targets.
Attacking system administrators at foreign telecommunications and Internet service providers apparently was one broader group, for example. "Sys admins are a means to an end," according to one document, since they make it easier to target a "government official that happens to be using the network some admin takes care of."
In a statement to The Intercept, the NSA didn't comment on specifics but said, "As the president made clear on 17 January, signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes."
However, on Thursday, the NSA denied actual large-scale hacking, though not the technical capability, and said it doesn't "impersonate U.S. company Web sites":
Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which that capability must be employed.
NSA's authorities require that its foreign intelligence operations support valid national security requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible. NSA does not use its technical capabilities to impersonate U.S. company Web sites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false.
Update, Thursday at 12:57 p.m. PT Added new NSA statement denying some of the allegations.